Critical source files have at least one corresponding test

ab-000300 · ai-slop-test-theater.coverage-reality.critical-paths-have-tests

Severity: criticalactive

Why it matters

Auth, payment, billing, and webhook handlers are the highest-risk code in any commercial application — bugs there cause account takeovers, double-charges, missed payments, and data exposure. CWE-1059 (Insufficient Documentation) and ISO-25010:2011 testability both flag untested critical paths as systemic risk. An AI agent generating a Stripe checkout route or a JWT auth handler without writing a corresponding test file leaves the most consequential code in the project completely unverified. A single refactor in lib/billing.ts with no test coverage can silently break revenue collection.

Severity rationale

Critical because untested auth and payment paths are the highest-consequence failure modes in production — bugs there affect money, access, and user data directly.

Remediation

Create a test file for every file under lib/auth*, lib/payment*, lib/billing*, app/api/auth/, app/api/checkout/, and app/api/webhooks/. The test doesn't need to be exhaustive — one covering the happy path is enough to break the pattern:

// tests/billing.test.ts
import { calculateInvoice } from '@/lib/billing'

describe('calculateInvoice', () => {
  it('applies tax to line item total', () => {
    const result = calculateInvoice([{ price: 100, qty: 2 }], 0.1)
    expect(result.subtotal).toBe(200)
    expect(result.tax).toBe(20)
    expect(result.total).toBe(220)
  })

  it('returns zero total for empty items', () => {
    const result = calculateInvoice([], 0.1)
    expect(result.total).toBe(0)
  })
})

Detection

ID: critical-paths-have-tests
Severity: critical
What to look for: Walk source files for critical paths: any file under lib/auth*, lib/payment*, lib/billing*, lib/stripe*, lib/checkout*, app/api/auth/, app/api/checkout/, app/api/payments/, app/api/billing/, app/api/webhooks/stripe/, app/api/webhooks/clerk/. Count all critical source files. For each, verify a corresponding test file exists (same basename + .test.ts/.spec.ts, OR a file under __tests__/ referencing the source file by import path, OR an E2E test under tests/e2e/ or e2e/ that imports/references the file or its route).
Pass criteria: 100% of critical source files have at least 1 corresponding test reference. Report: "X critical source files inspected, Y with tests, 0 untested."
Fail criteria: At least 1 critical source file has no test reference.
Skip (N/A) when: Project has 0 critical source files (no auth/payment/webhook files detected).
Cross-reference: For deeper code coverage analysis, the Code Quality Essentials audit (code-quality-essentials) covers test-presence and coverage thresholds.
Detail on fail: "2 untested critical files: src/lib/billing.ts (no tests/billing.test.ts, no __tests__/billing.test.ts), src/app/api/checkout/route.ts (no test reference)"

Remediation: Untested critical paths means a small refactor can silently break payments. Add at least 1 test per critical file:

// tests/billing.test.ts
import { calculateInvoice } from '@/lib/billing'

describe('calculateInvoice', () => {
  it('sums line items with tax', () => {
    const invoice = calculateInvoice([{ price: 100, qty: 2 }], 0.1)
    expect(invoice.subtotal).toBe(200)
    expect(invoice.tax).toBe(20)
    expect(invoice.total).toBe(220)
  })
})

External references

cwe · CWE-1059 — Insufficient Technical Documentation
iso-25010:2011 · maintainability.testability — Testability (maintainability sub-characteristic)

Taxons

code-quality

History

2026-04-18·v1.0.0·Initial import from ai-slop-test-theater·automated

Why it matters

Remediation

// tests/billing.test.ts
import { calculateInvoice } from '@/lib/billing'

describe('calculateInvoice', () => {
  it('applies tax to line item total', () => {
    const result = calculateInvoice([{ price: 100, qty: 2 }], 0.1)
    expect(result.subtotal).toBe(200)
    expect(result.tax).toBe(20)
    expect(result.total).toBe(220)
  })

  it('returns zero total for empty items', () => {
    const result = calculateInvoice([], 0.1)
    expect(result.total).toBe(0)
  })
})

Detection

ID: critical-paths-have-tests
Severity: critical
What to look for: Walk source files for critical paths: any file under lib/auth*, lib/payment*, lib/billing*, lib/stripe*, lib/checkout*, app/api/auth/, app/api/checkout/, app/api/payments/, app/api/billing/, app/api/webhooks/stripe/, app/api/webhooks/clerk/. Count all critical source files. For each, verify a corresponding test file exists (same basename + .test.ts/.spec.ts, OR a file under __tests__/ referencing the source file by import path, OR an E2E test under tests/e2e/ or e2e/ that imports/references the file or its route).
Pass criteria: 100% of critical source files have at least 1 corresponding test reference. Report: "X critical source files inspected, Y with tests, 0 untested."
Fail criteria: At least 1 critical source file has no test reference.
Skip (N/A) when: Project has 0 critical source files (no auth/payment/webhook files detected).
Cross-reference: For deeper code coverage analysis, the Code Quality Essentials audit (code-quality-essentials) covers test-presence and coverage thresholds.
Detail on fail: "2 untested critical files: src/lib/billing.ts (no tests/billing.test.ts, no __tests__/billing.test.ts), src/app/api/checkout/route.ts (no test reference)"

Remediation: Untested critical paths means a small refactor can silently break payments. Add at least 1 test per critical file:

// tests/billing.test.ts
import { calculateInvoice } from '@/lib/billing'

describe('calculateInvoice', () => {
  it('sums line items with tax', () => {
    const invoice = calculateInvoice([{ price: 100, qty: 2 }], 0.1)
    expect(invoice.subtotal).toBe(200)
    expect(invoice.tax).toBe(20)
    expect(invoice.total).toBe(220)
  })
})